[tahoe-dev] same origin

James A. Donald jamesd at echeque.com
Fri Jul 30 08:21:33 UTC 2010

On 2010-07-30 1:17 PM, Chris Palmer wrote:
> James A. Donald writes:
>> Presumably cookie scope would also be same origin

> Presumably, but very often not in fact. In the Set-Cookie: header you can
> specify a broader scope for cookies, and people often do.

But it would not help the attacker to set a broader scope.  The attacked 
would have to set a broader scope - assuming he is following the 
standard measures to avoid cookie fixation.

It is standard to set your cookie scope for the entire website, if you 
control the entire website.  If your web page is appearing on tahoe, you 
do not.

So a local service that mapped all *.tahoe domains to the same IP would 
enable same origing protection between tahoe documents.

More information about the tahoe-dev mailing list